diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:50:36 +0300 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:50:39 +0300 |
| commit | 80dd048222b9da5199195a1b620cc5b651216fd6 (patch) | |
| tree | 619e56c12cbf30f14e1d18dbd55a1a882c2222ee /lib | |
| parent | 0d22b9b88888d7c339cd678c3baaa83c25c7ccd7 (diff) | |
Merge branch 'security-fix-regex-dos-11-6' into 'security-11-6'
[11.6] Fix DoS in reference extraction regexes
See merge request gitlab/gitlabhq!2778
(cherry picked from commit 06f1ea1f540b62aefbaa4f69901de2d29df11e7c)
e73f2f1d Fix slow project reference pattern regex
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/path_regex.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb index fa68dead80b..3c888be0710 100644 --- a/lib/gitlab/path_regex.rb +++ b/lib/gitlab/path_regex.rb @@ -125,7 +125,8 @@ module Gitlab # allow non-regex validations, etc), `NAMESPACE_FORMAT_REGEX_JS` serves as a Javascript-compatible version of # `NAMESPACE_FORMAT_REGEX`, with the negative lookbehind assertion removed. This means that the client-side validation # will pass for usernames ending in `.atom` and `.git`, but will be caught by the server-side validation. - PATH_REGEX_STR = '[a-zA-Z0-9_\.][a-zA-Z0-9_\-\.]*'.freeze + PATH_START_CHAR = '[a-zA-Z0-9_\.]'.freeze + PATH_REGEX_STR = PATH_START_CHAR + '[a-zA-Z0-9_\-\.]*'.freeze NAMESPACE_FORMAT_REGEX_JS = PATH_REGEX_STR + '[a-zA-Z0-9_\-]|[a-zA-Z0-9_]'.freeze NO_SUFFIX_REGEX = /(?<!\.git|\.atom)/.freeze |